Solved: 9500 switch err-disable bpduguard on access port connecting to ISP device

MauricioPenaCastillo46392 · ‎01-13-2021

Hello All,

Looking to connect an ISP circuit on my 9500 switch, the port goes to err-disable state.
Fiber handoff is Single mode and I used proper SFP and fiber jumper.
%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port TenGigabitEthernet1/0/30 with BPDU Guard enabled. Disabling port. Reason for err-disable shows bpduguard.

Having no other SFP to test the circuit was connected using Ethernet cable with an RJ45 SFP in same port 30 and changed it to a twin RJ45 port on the ISP device. Same issue.
%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port TenGigabitEthernet1/0/30 with BPDU Guard enabled. Disabling port. Reason for err-disable shows bpduguard.

I configure the port to filter BPDUs with the 'spanning-tree bpdufilter enable' command and the port came up fine. I revert connections back to fiber and still up.

Do I have to concern about receiving BPDUs from the ISP device? This is a single link and I don't have physical redundant connections. This is a P2P circuit.

Please advise. Thank you!

paul driver · ‎01-13-2021

Hello
It sounds like the isp is using a handoff switch or the port your connecting to is a bridged interface, As long as your port is an access-port you should be okay.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Georg Pauwen · ‎01-13-2021

Hello,

actually, I think it is a mis(sconfiguration) on the part of the ISP. There should not be any BPDUs sent on their links. I would contact the ISP asap to get them to turn it off on their side.

MauricioPenaCastillo46392 · ‎01-14-2021

Thank you George.
I talked with the ISP technician, not sure if he could turn BPDUs off on that interface...Don't think disabling STP is an option. He is touching base with his colleagues.

MauricioPenaCastillo46392 · ‎01-25-2021

Hello George,

The ISP replied saying they have a pretty much standard configuration on their device and that I should have to find why my device, in this case the switch is not liking the setup.

I left the test port working over 1 week and saw no issues. Finally some days ago I move the fiber to the port I chase for the uplink and is working fine, is an access port with spanning-tree bpdufilter enabled. All working good.

paul driver · ‎01-13-2021

Hello
It sounds like the isp is using a handoff switch or the port your connecting to is a bridged interface, As long as your port is an access-port you should be okay.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MauricioPenaCastillo46392 · ‎01-14-2021

Hello Paul, thanks for helping.

The ISP uses a handoff switch. My port is setup as access. I read that a failure on the link could cause udld to block the port thats why i tried to use the Ethernet cable. Anyway the reason for err-disable was bpduguard not udld, then i should expect having same result before using the Etherent cable.
ISP tech is checking what can be done on his side.

MauricioPenaCastillo46392 · ‎01-25-2021

Hello Paul, I left the test port working over 1 week and saw no issues. Finally some days ago I move the fiber to the port I chase for the uplink and is working fine, is an access port with spanning-tree bpdufilter enabled. All working good.

MauricioPenaCastillo46392 · ‎01-25-2021

All answers were helpful, thank you all. But I think this one helped to reduce the uncertainty if the configuration could cause a problem in the network.

Giuseppe Larosa · ‎01-14-2021

Hello @MauricioPenaCastillo46392 ,

you can also as an alternate way disable STP BPDU guard at interface level

interface TenGigabitEthernet1/0/30

spanning-tree bpduguard disable

I agree with Georg's note : generally it is the ISP side that uses the spanning-tree bpdufilter enable on their side and here it is missing.

So contacting the ISP support stuff may be the best option.

Hope to help

Giuseppe

MauricioPenaCastillo46392 · ‎01-14-2021

Hello Giussepe, Thanks for replying.

Thank you for the tip, we have spanning-tree bpduguard configured globally as a new implemented feature, this was not on the interface per-se.

If ISP configure on his side just my BPDUs will be filtered on his device? Or also he will stop sending BPDUs to my switch.

MauricioPenaCastillo46392 · ‎01-25-2021

Hello Giussepe as mentioned above, the ISP couldnt help and i left the port as access pot with bpdufilter enabled.

I left the test port working over 1 week and saw no issues. Finally some days ago I move the fiber to the port I chase for the uplink and is working fine, is an access port with spanning-tree bpdufilter enabled. All working good.